Cyber Defence Report - January 2021

In December one of the biggest global cyber-attacks took place, but before I get to that, let me tell you about my eventful Christmas…

It was Boxing day evening; I was just about to tuck into my third helping of turkey and chips when my mobile rang. I should have known better than to think CyberGuard’s Sales Consultant was calling me to wish me a Merry Christmas. He had taken a call from a company that had suffered a ransomware attack. I agreed to call the customer and discuss the issue. Well, I suppose there is only so much Vicar of Dibley you can watch.

The IT Manager answered the phone. I could tell immediately things were bad by the sound of panic in his voice. I don’t mean to sound dramatic, but it was pandemonium. There is no other word to explain it… the situation was changing rapidly, as I was beginning to get the full picture, things appeared to be getting worse. 

What information did the IT Manager have? The ransomware group was called Darkside (see last month’s report). He wasn’t sure what was encrypted yet, as he couldn’t get on to the virtual management server, but I advised him that it would be all of them. I asked him whether the backups were OK; he hadn’t checked at this point. I then asked him to clarify how he backs up.  He informed me Veeam to Network Attached Storage (NAS), he then confirmed on the domain… I hadn’t felt this stressed since Christmas Eve when I was hunting for my wife’s Christmas present!

At this point it’s important to understand the evolution of ransomware. These large ransomware groups are highly skilled, highly organised, and highly motivated. They spend large amounts of time perfecting their intrusion, avoiding detection and deploying their ransomware payload. With all this time spent on developing malware, these guys want to see a return on investment. 

It started with basic encryption, and some customers paid… but not enough. So now part of the encryption process is to target the backups and either encrypt them or delete them. As many companies now use cloud backups, getting to the backup is “sometimes” difficult. To combat this, ransomware groups have started to exfiltrate data from the networks, which they will release publicly if you don’t pay. 

The customer in question didn’t use a cloud provider, the backups were on the same domain as the main network, using the same compromised credentials. 

As I downed my last snowball cocktail, I logged on to the dark web to discover the ransom had been set at 1.4 million dollars!  

This story is still ongoing, and I will update you of the outcome next month, but I urge you to check your backups, make sure you have an offline copy (tape, cloud, multiple clouds). Make sure you don’t use the same passwords that you use on your active directory domain. One last thing, I know it’s boring but you need to test these backups regularly and I don’t mean restore one server... I mean full DR.

In early December cyber security giant FireEye announced it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools, that the company provides to clients to help secure their IT operations. This came as a massive shock to many, as FireEye are a global leader in cyber security and many asked how this could happen.

Shortly after, news broke that United States government agencies and corporations alike, as well as international targets, were victims of a massive nation-state espionage campaign. 

The hackers, who have been widely reported as Russian, compromised high-profile targets like the US Commerce, Treasury, Homeland Security, and Energy Departments, as well as companies like the security firm FireEye. All of the attacks appear to stem from one initial compromise of the IT infrastructure and network-management firm SolarWinds. Hackers had breached the company as far back as October 2019, then planted malicious codes in software updates to its network-monitoring tool, Orion.

Any customer that installed an Orion patch released between March and June inadvertently planted a Russian backdoor on their own network. 

I know I have been telling you to patch everything, but this highlights a new area of compromise “the supply chain”. 

The full wired article can be read here https://www.wired.com/story/russia-solarwinds-hack-targets-fallout/

This is another story that is still evolving, but one thing that has surfaced is that the password to protect an updated server that supplied software to US government and large enterprise customers was reportedly solarwinds123!!

Happy new year.

Stay safe 
Paul